There are huge costs associated with privacy breaches — like reputational damage and the resources required to address the breach. Now, there’s also the potential of a substantial fine for those that fail to report it in a timely manner.
The mandatory breach notification rules under the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect on November 1, 2018.
Under this act, the Office of the Privacy Commissioner of Canada (OPC) requires organizations to report any security breach involving personal information that creates a “real risk of significant harm” (RROSH) to both the people affected and the Privacy Commissioner. They must also keep records of all breaches.
Risks for failing to report
Failure to report such incidents could expose businesses to fines of up to $100,000 for each time an individual is affected by a security breach if the federal government decides to prosecute, reports CTV News.
“And since PIPEDA is full of imprecise language that requires notifications ‘as soon as feasible’ after a ‘real risk’ of ‘significant harm’ has been detected, there’s a danger that some incidents will be reported too slowly or not at all,” CTV reports.
Indeed, most SMBs are confused about when to report and are concerned about the cost of compliance, according to Fazilia Nuran, founder of Privatech Consulting. “For example, is legal counsel required every time there is a breach/potential breach to assist with determining if the legal threshold of ‘real risk of significant harm’ has been met?” she asks.
Don’t sweep breaches under the rug
The ambiguity around reporting requirements coupled with the reticence to acknowledge an incident means some companies will still try to sweep breaches “under the rug,” Nuran says.
“Notification and reporting is a serious — and scary — business,” she says. “If the reputational harm associated with notification and reporting seems significant, there is the temptation to just hope that the breach won’t be discovered. Even with the new fines under PIPEDA for knowingly failing to report a breach, human beings don’t always own up to mistakes if the stakes are high.”
A survey earlier this year revealed that many companies are not prepared for the new rules. It also found that there’s a gap between a business’ understanding of their obligations and their ability to respond appropriately.
Size doesn’t matter in data breaches
Many small to medium-sized businesses (SMBs) are under the mistaken impression that because they are not a large enterprise, they won’t experience a breach. But when it comes to data hacks, size doesn’t matter, says Sharon Bauer, Senior Manager in the privacy, regulatory and information management consulting practice at KPMG Canada.
“SMBs need to prioritize privacy compliance and prepare for potential breaches,” she says. “Having a response plan can prevent regulatory orders, significant fines, lawsuits and reputational harm, all of which can put SMBs out of business, unlike larger enterprises that can survive these hardships.”
When it comes to preparing a breach response plan, there are definite advantages to enlisting the services of a subject-matter expert, Bauer says. But those with limited budgets can consult the OPC’s website, which provides a basic overview on how best to comply as well as the forms to be completed when reporting a breach.
“KPMG’s Privacy, Regulatory & Information Management (PRIM) group services clients across industries irrespective of their size and provides proactive risk management services such as preparing breach response plans, privacy risk assessments and privacy staff training,” she says.
Nuran agrees that a breach response plan is critical and that organizations may be able to leverage their IT department’s incident response plan as a good starting place. Privatech has also developed a Privacy Breach Response Procedure template.
Even if SMBs do have a breach response plan in place, under the new rules, many will still have to create a breach record-keeping policy, as they are now obligated to maintain records of all breaches — regardless of whether they are reported to the OPC, Bauer says.
Getting a breach plan in place
In addition to breach response plans, she recommends the following proactive measures:
- Encrypt personal data for security measures. If encrypted personal data is breached and the encryption key is not compromised, then confidentiality is preserved. Since the data is unreadable and there is no RROSH, the organization might not need to report the breach to the OPC.
- Train and educate staff on how to minimize the risk of a breach and how best to identify a breach. The majority of breaches occur as a result of employee negligence (eg. social engineering, phishing).
- Consider purchasing cyber insurance to protect against liability and breach expenses such as legal, forensic, notification expenses and possible PR costs — all of which can put SMBs out of business.
Nuran also suggests the following steps to create a best practices strategy around data breaches:
- Consider trusted service providers. Have you had conversations with trusted third parties about breach management and notifying you if a threat occurs? Trusted service providers should have a plan for how they will support clients with breach notifications and reporting obligations.
- What system are you going to use for breach recordkeeping? Remember, there is no materiality threshold: detailed records must accompany all breaches even if the RROSH test hasn’t been met.
- Training and communication plans should be addressed. Staff should know what a data breach is, what information to collect and who to report the breach to internally. Managers should know the reporting and notification responsibilities of the organization and how to support the privacy officer.